| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
When adding a user to a project, if the default role is missing, create it.
Bug 1176270
Change-Id: Id972ccf9c132c362a0b85049d248530dc2d56d54
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the use of kwargs from manager calls where not
required. Dogpile.cache (the targeted caching library) does not
support kwargs out of the box with its cache-key-generator. This
change allows us to support the default cache-key-generator; while
it is possible to create a new cache-key-generator function, there
are many possible edge-cases to deal with when making cache
invalidation calls (ensuring the arguments are the same) as well as
possible performance implications (depending on the depth of method
introspection needed to determine how to invalidate the cache).
As an added bonus, this change brings the code touched more in-line
with the rest of keystone where most manager/driver calls do not
use kwargs unless absolutley required.
blueprint: caching-layer-for-driver-calls
Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
|
|
|
|
|
|
|
| |
Refactor tests/test_backend.py, remove a useless enumerate call in
for loop.
Change-Id: I5d1914ae3490f715437711d594ec903a2c6632f5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extension allows for project roles to be optionally
inherited from the owning domain. The v3 grant APIs are extended
to take an inherited_to_projects flag. The GET role_assignments
API will also include these roles in its response, either showing them
as inherited roles assigned to the domain or, if the 'effective'
query parameter is set, will interpret the inheritance and reflect
those role assignments on the projects.
The inherited_to_projects flag is encoded in the role list in
the metadata of the relevant entries in the grant tables. The
'roles' key in the metadata is now a list of dicts, as opposed
to a simple list, where each dict is either
{'id': role_id} for a regular role, or
{'id': role_id, 'inherited_to': 'projects'} for an inherited role
Remember that a previous patch had rationalized the way metadata is
handled so that its structure is entirely hidden within the driver
layer.
The extension can be enabled/disabled via a config setting.
Limitations:
- The extension is not yet discoverable via url, this will be added
as a separate patch when the v3/extensions work is complete.
A separate issue has been discovered with the fact that the v2
calls of 'get_projects_for_user()' and 'list_user_projects()'
should be rationalized and also honor both group (and inherited)
role assignments. This is being raised as a separate bug.
DocImpact
Implements bp inherited-domain-roles
Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| | |
Modify tests/test_backend.py, remove the useless arg ("start index" = 0)
since its default value is 0.
Change-Id: Ia88c538a6dfe751e94fdb7f465ab87ce72cfa108
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The driver calls used by v3 token controllers to obtain roles
for a user on both project and domain were incorrectly implemented,
leading to roles being missed out of the token. v2 tokens are not
affected, since they don't use the same driver calls.
This fixes these functions and adds additonal tests to cover the
cases (all of which would fail without this patch). As part of this
fix, the implementation of "get_roles_for_user_and_project() is
pulled up into the driver class (like the domain equivalent is already),
since, for all implementations, it is independant of backend technology.
Fixes bug 1197874
Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| | |
Refactor tests/test_backend.py, remove a useless enumerate call in for
loop.
Change-Id: I1268ce70d40994078343ec3120021c131e52713d
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the GET /role_assignment call as a first step
to making role_assignment a first class entity.
This patch also enables v3 collection filtering to match against
attributes of entities being returned in the list, using the same
dot notation (e.g. user.id) that we already support for policy file
checking against filters.
Limitations:
- The current implementation uses the standard v3 collections wrapper
mechanism for filtering. Given the potential numbers of role
assignments in a large system, this may have performance and resource
impacts. A future improvement would pass the filters into the
driver layer to keep the internal assignment processing to a minimum.
- The LDAP backend is not currently supported
Implements bp get-role-assignments
Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
|
|
|
|
|
|
|
|
|
| |
Make calls via the manager as opposed to the drivers
in order to support refactoring of common code
Bug 1193420
Change-Id: I69117ea755ed7ef3f7d3732fee83cc758927d296
|
|
|
|
|
|
|
| |
We don't have a use case for passing the request context to the manager
layer, so this patch removes a bunch of cruft.
Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fileds type's checking logic during creating and updating
users apply to all driver calls. It should be centralized in the
identity.Manager rather that continuing the trend of spreading them out
between controllers, managers and drivers.
This patch move the enable type checking logic to identity.Manager and
modify the related test cases in test_backend.py.
Change-Id: I37df56a61cd5ab332dcc9d74a7e99ee9041aa32e
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having enabled="true" in json data when updating tenant will produce 500
When updating a project, no type check was performed on the enabled
attribute. Therefore, if enabled value in JSON/XML is not a boolean but
a string, keystone responds with an incorrect Http 500 error code and
the stacktrace.
The change introduces a type validation of the enabled attribute at
identity manager. If the type is not a boolean, keystone now returns an
appropriate Http 400 error code with a message pointing a bad format for
the attribute.
Test cases have been added to file test_backend and test_content_types
for testing the case when enabled attribute is a string or int when
updating project.
Fixes bug #1191384
Change-Id: I86dd7e71d4bac1e3fd6fcabaa1a2136a47722e5f
|
|
|
|
|
|
| |
fixes: bug #1167593
Change-Id: Ie18fa17f16383f31d8aa083e69fa501d80eb4553
|
|
|
|
|
|
|
|
|
| |
Necessary step for splitting out the projects
also just a cleaner implementation
Blueprint extract-projects-from-id
Change-Id: I79f9cac4ace6894fba5784bf61c8ef5b4e81d28f
|
|
|
|
|
|
|
|
|
|
| |
Provide new delete the tokens api 'delete_tokens' to support
delete all the tokens for user in one session in the sql backend. For
the kvs and memcache, I also provide the corresponding implementation.
Fix bug 1178063
Change-Id: I986a583e5900ea04e26cbdb7c49638a33818bca7
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.
Rule used:
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
Added the policy wrapper on the validate functions.
Fixes bug 1153789
Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
|
| |
| |
| |
| |
| |
| |
| | |
Code copied and adopted from unittest.TestCase class from CPython 2.7
stdlib.
Change-Id: Ifae16f947600f7a9d1f8d1a879fd914d0cf4d65e
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
| |
| |
| |
| | |
Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A proper fix to the above was also blocked by bug 1117356, so that's
fixed here as well (updates properly return the resulting entities).
Change-Id: I672b90e67545cc1fe65b05ef7f8af5b42ca6afc3
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
Creates a cli entry 'token_flush' which removes all expired tokens.
Fixes: bug 1032633
Implements: blueprint keystone-manage-token-flush
Change-Id: I47eab99b577ff9e9ee74fee08e18fd07c4af5aad
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When creating or updating a user, no type check was performed on the
enabled attribute. Therefore, if enabled value in JSON/XML is not a
boolean buta string or an int, keystone responds with an incorrect
Http 500 error code and the stacktrace.
The change introduces a type validation of the enabled attribute
at backend and api layer. If the type is not a boolean, keystone
now returns an appropriate Http 400 error code with a message
pointing a bad format for the attribute.
Test cases have been added to file test_backend and
test_content_types for testing the case when enabled attribute is a
string or int when creating or updating user.
The same correction can be done for create/update projects, domains.
Change-Id: I7d2fe3acf0c4dbd3ce5bdf9f4d059df085853b84
Fixes: bug #1110435
|
|\ \ \
| |/ /
|/| | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Test for fix of bug 1078497
Change-Id: I5cd28b38111f3e80adbb33ef1b1c8db7630d75f8
|
| | |
| | |
| | |
| | | |
Change-Id: Ifc8c876760f8402fc3293326972b9286fb1635c9
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the tables are not created which means that it isn't
possible for these tests to run on anything other than sqlite.
Fix test issues where the token id that is used to create the token is
not the same as the id that the token is saved with.
Fix a number of foreign key constraints issues.
Bug 1178041
Change-Id: Ib67eb97836e4224940abdeae4bba66748bfe4ca5
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| | |
An undefined variable was used in the trust kvs backend, this
fixes it.
Change-Id: I9c25d85ab64afa2bf7639d3fd14a4d6839dacb64
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the test_list_trust_by_trustee method in test_backend is
duplicated. One of them should be test_list_trust_by_trustor.
The original test_list_trust_by_trustee that wasn't run before
had a couple of problems so fixed those, too.
Change-Id: I14759c83c5d4b7387e5d760d8418b889c4522c21
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Change-Id: Ief6534ee25a83027979d92c9ce3a92e0ea28c07c
|
|\ \ \
| |/ /
|/| | |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The code tries to construct a byte string object to test the
length of the string field (The explicit construction of the
string object is neccessary as sometime v can be other types,
for example int). This will cause error if the string field
(v) is a unicode object.
Fixes bug #1166701
Change-Id: I73cee4da5c9f91ce135e7f81d88c979871f61767
|
| |
| |
| |
| |
| |
| | |
Bug 1119641
Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
remove all applicable grants when role is deleted
(sql/kvs solution only)
Fixes: bug #1125637
Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Ensure that we validate the domain status of user/project for
a user authenticating via the v2 API.
This patch builds on the initial functional change done by Dolph,
and fixes up the tests that broke sure to domain being required in
any tests that setup data directly in the backends.
Fixes Bug #1130236
Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Clean up clear_live_database so that all fixture data is removed. Make sure we
use the configured trees for each ldap object in tests. Ensure all live tests
pass or are skipped where appropriate.
Fixes: bug #1154277
Change-Id: I2eb4efe78e2c9d2a18bce339765b3ab5d20ac8f5
|